package com.jdbc.utils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SQLinjection {
    public static void main(String[] args) {
        //正常登录
        //login("tom","123456");
        /*  name=tom
            password=123456*/
        //SQL注入
        login("'or' 1=1","'or' 1=1");
        /*
        *   name=tom
            password=123456
            ==========================
            name=wangwu
            password=123456
            ==========================
            name=dasima
            password=123456
            ==========================
        * */
    }
    //登录业务
    public static void login(String username,String password){
        Connection conn = null;
        Statement st = null;
        ResultSet rs = null;
        int i = 0;
        try {
            conn = JdbcUtils.getConnection();//获取数据库连接
            st = conn.createStatement();
            String sql = "select * from `users` where `NAME`='"+username+"' AND `password` ='"+password+"'";
            rs = st.executeQuery(sql);
            while(rs.next()){
                System.out.println("name="+ rs.getObject("NAME"));
                System.out.println("password="+ rs.getObject("password"));
                System.out.println("==========================");
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            JdbcUtils.release(conn,st,rs);
        }
    }
}
